On Mon, Apr 22, 2019 at 4:14 AM Abid Raza <[email protected]> wrote: > > any update Sir. >
>From the tiny picture you posted, it doesn't look like OSSEC traffic is making it to (or from?) that system. If that was from the OSSEC server, something seems to be blocking the traffic somewhere between the agents and the server. If it's an agent, is OSSEC running? > On Tuesday, 16 April 2019 17:50:57 UTC+5, Abid Raza wrote: >> >> PFA the result. >> >> On Saturday, 13 April 2019 07:08:51 UTC+5, dan (ddpbsd) wrote: >>> >>> On Thu, Apr 11, 2019 at 8:17 AM Abid Raza >>> <[email protected]> wrote: >>> > >>> > Hi, >>> > >>> > I can see the keys in the client.keys file. Could you please let me know >>> > the steps to check the OSSEC Traffic you mentioned in your last email? >>> > >>> >>> Replace INTERFACE with the name of your network interface. >>> >>> `sudo tcpdump -nni INTERFACE udp and port 1514` >>> >>> This causes tcpdump to not translate hostnames and port numbers, >>> listen on INTERFACE, >>> and only display udp traffic on port 1514. >>> >>> > On Tuesday, 9 April 2019 17:19:35 UTC+5, dan (ddpbsd) wrote: >>> >> >>> >> On Tue, Apr 9, 2019 at 3:09 AM Abid Raza >>> >> <[email protected]> wrote: >>> >> > >>> >> > Hi, >>> >> > >>> >> > List-agents -n shows nothing. Please see the attached snapshot. >>> >> >>> >> That's strange. Verify the agents are added by checking >>> >> `/var/ossec/etc/client.keys` (don't post that, it has secrets) >>> >> Nothing related in the ossec.log that I saw, but images are much >>> >> harder to parse than text. >>> >> I don't see anything relevant in the tcpdump output. Please look for >>> >> OSSEC traffic (udp port 1514), bootp and dns isn't very helpful. >>> >> >>> >> > Yes, I added agent in the OSSEC Server, Copy the key from OSSEC server >>> >> > and paste it on the OSSEC Agent which is my Active Directory Windows >>> >> > Server. >>> >> > Attached is the screen shot of the osseclog file. Please review it. >>> >> > Attached is the snapshot of TCP Dump. Please review it. >>> >> > >>> >> > Please let me know if there is any additional information is required. >>> >> > >>> >> > Thanks >>> >> > >>> >> > >>> >> > On Monday, 8 April 2019 23:00:17 UTC+5, dan (ddpbsd) wrote: >>> >> >> >>> >> >> On Mon, Apr 8, 2019 at 10:13 AM Abid Raza >>> >> >> <[email protected]> wrote: >>> >> >> > >>> >> >> > Team, >>> >> >> > >>> >> >> > I have recently installed an standalone OSSEC 3.2 Server and added >>> >> >> > my Active Directory servers as agents. I have also installed OSSEC >>> >> >> > AGent v3.2 or my Domain Controllers and started the agent service. >>> >> >> > >>> >> >> > I don't see any logs in the archive.log or ossec.log file. >>> >> >> > Furthermore, When I run the command /var/ossec/bin/list_agents -c, >>> >> >> > it shows me "Not agents are available" >>> >> >> > >>> >> >> >>> >> >> Does `/var/ossec/bin/list_agents -n` show you anything? >>> >> >> Did you add the agents to the OSSEC server, export the keys, and >>> >> >> import the keys on the agents? >>> >> >> Is there anything related in the ossec.log of either the agents or >>> >> >> the server? >>> >> >> Using tcpdump on the OSSEC server, make sure packets from the agents >>> >> >> are making it to the server. Make sure the server is responding to >>> >> >> those agents. >>> >> >> >>> >> >> > Could you please help me if I am missing any configuration as I am >>> >> >> > new in the OSSEC. >>> >> >> > >>> >> >> > Thanks >>> >> >> > Abid >>> >> >> > >>> >> >> > -- >>> >> >> > >>> >> >> > --- >>> >> >> > You received this message because you are subscribed to the Google >>> >> >> > Groups "ossec-list" group. >>> >> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> >> > send an email to [email protected]. >>> >> >> > For more options, visit https://groups.google.com/d/optout. >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, send >>> >> > an email to [email protected]. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
